Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible race condition in credential refresh #692

Closed
hiranya911 opened this issue Jul 9, 2021 · 2 comments
Closed

Possible race condition in credential refresh #692

hiranya911 opened this issue Jul 9, 2021 · 2 comments
Assignees
@clundin25
Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. status: investigating The issue is under investigation, which is determined to be non-trivial.

Comments

@hiranya911
Copy link
Contributor

We are seeing a possible race condition around credential refresh. We use the following code in an integration test suite to fetch OAuth2 tokens:

    GoogleCredentials credentials = ...;
    try {
      if (forceRefresh) {
        credentials.refresh();
      } else {
        credentials.getRequestMetadata();
      }

      AccessToken token = credentials.getAccessToken();
      return token.getTokenValue();
    } catch (IOException e) {
      throw new RuntimeException(e);
    }

We expect the credentials to contain a valid access token at the end of the if-else block. However, our tests intermittently fail by throwing a NullPointerException at token.getTokenValue(). Any thoughts on what might be going on here? What should we do to ensure that getAccessToken() always returns a non-null value?

Note: In the failing tests, forceRefresh has been set to false. So it should execute the credentials.getRequestMetadata() path.
@hiranya911
Copy link
Contributor Author

Seeing more strange behavior. Was trying to debug the above issue a bit further by running the following simple test case:

    GoogleCredentials cred = loadServiceAccount();
    
    cred.refresh();
    String t1 = cred.getAccessToken().getTokenValue();

    // Thread.sleep(1000);

    cred.refresh();
    String t2 = cred.getAccessToken().getTokenValue();
    assertNotEquals(t1, t2);

But this would fail most of the time:

java.lang.AssertionError: Values should be different. Actual: ya29.c.KqgBBwh5fCszBWUTEhptmtMA-1AAjGMcJK1XoNbOmH1rJDIOqYErmTCF1c3w1VIx1vc_1CiAB2AlBWuxkGHF75QSJ18mZkXX_54IcW9skiyA5Plmx26USngo4kiqsj1Wbk5IoT3A-...
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failEquals(Assert.java:187)
	at org.junit.Assert.assertNotEquals(Assert.java:163)
	at org.junit.Assert.assertNotEquals(Assert.java:177)
	at com.google.firebase.auth.FirebaseAuthIT.testMe(FirebaseAuthIT.java:106)

Introducing some delay before the second refresh operation (just uncomment the sleep), increases success rate greatly.

@TimurSadykov TimurSadykov self-assigned this Jul 13, 2021
@TimurSadykov TimurSadykov added the status: investigating The issue is under investigation, which is determined to be non-trivial. label Jul 13, 2021
@hiranya911 hiranya911 mentioned this issue Aug 24, 2021
Merged
@Ironlink
Copy link

This happens randomly for us about once or twice per week. It occurs both locally on developer machines as well as in deployed environments such as staging and production.
We use the Cloud SQL postgres-socket-factory for IAM authentication between our applications and our Postgres databases. This library contains code to the effect of (see CloudSqlInstance.java):

GoogleCredentials credentials = ...;
credentials.refresh();
String token = credentials.getAccessToken().getTokenValue();

From this we see exceptions with these sample stack traces:

HikariPool-1 - Exception during pool initialization.
Error:	org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception.
	at org.postgresql.Driver.connect(Driver.java:280)
	at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:138)
	at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:364)
	at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:206)
	at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:476)
	at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:561)
	at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:115)
	at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:112)
<snip>
Caused by: java.lang.NullPointerException: Cannot invoke "com.google.auth.oauth2.AccessToken.getTokenValue()" because the return value of "com.google.auth.oauth2.OAuth2Credentials.getAccessToken()" is null
	at com.google.cloud.sql.core.CloudSqlInstance.fetchEphemeralCertificate(CloudSqlInstance.java:524)
	at com.google.cloud.sql.core.CloudSqlInstance.lambda$performRefresh$0(CloudSqlInstance.java:330)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:74)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)

The effect of this for us is that our applications randomly fail to start. Please fix this.

@johanblumenberg johanblumenberg mentioned this issue Sep 21, 2022
Closed
4 tasks
@kurtisvg kurtisvg added the priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. label Sep 22, 2022
This was referenced Sep 28, 2022
Closed
Merged
clundin25 pushed a commit to clundin25/google-auth-library-java that referenced this issue Sep 30, 2022
@johanblumenberg @clundin25
fix: Proposal on how to fix issue googleapis#692
94cae23
clundin25 added a commit to clundin25/google-auth-library-java that referenced this issue Sep 30, 2022
@clundin25
Revert "fix: Proposal on how to fix issue googleapis#692"
7942167 
This reverts commit 514ffe3.
clundin25 added a commit that referenced this issue Oct 18, 2022
@clundin25 @johanblumenberg @igorbernstein2
fix: Resolve race condition reported in #692 (#1031)
87a6606 
Co-authored-by: Johan Blumenberg <johan.blumenberg@gmail.com>
Co-authored-by: Igor Berntein <igorbernstein@google.com>
@release-please release-please bot mentioned this issue Oct 18, 2022
Merged
gcf-merge-on-green bot pushed a commit that referenced this issue Oct 18, 2022
@release-please
chore(main): release 1.12.1 (#1059)
382e96a 
🤖 I have created a release *beep* *boop*
---


## [1.12.1](https://togithub.com/googleapis/google-auth-library-java/compare/v1.12.0...v1.12.1) (2022-10-18)


### Bug Fixes

* Resolve race condition reported in [#692](https://togithub.com/googleapis/google-auth-library-java/issues/692) ([#1031](https://togithub.com/googleapis/google-auth-library-java/issues/1031)) ([87a6606](https://togithub.com/googleapis/google-auth-library-java/commit/87a66067dff49d68f5b01cfe4c3f755fbf6b44fb))

---
This PR was generated with [Release Please](https://togithub.com/googleapis/release-please). See [documentation](https://togithub.com/googleapis/release-please#release-please).
@incomprendido incomprendido mentioned this issue Apr 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clundin25 clundin25

Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. status: investigating The issue is under investigation, which is determined to be non-trivial.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Proposal on how to fix issue #692
5 participants
@hiranya911 @TimurSadykov @Ironlink @kurtisvg @clundin25